From: paca70 Date: Tue, 28 Sep 2004 12:39:20 +0000 (+0000) Subject: Fixed bug 2012 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=089b19f63109285b3fed84bdeeb6f112cbbd86fa;p=moodle.git Fixed bug 2012 Started work with bug 2007 Bug 1969 is partacaly fixed. ldap-module supports now password expiration. Some work with bugs 761 and 1730 Changes in login/index.php Reordered some code to make variables reusable in multiple places. Added redirection in case of expired password --- diff --git a/auth/ldap/config.html b/auth/ldap/config.html index ae88ccab59..3844f412e0 100644 --- a/auth/ldap/config.html +++ b/auth/ldap/config.html @@ -241,7 +241,6 @@ if (!function_exists('ldap_connect')){ // Is php4-ldap really there?

-

NOTE! This just configuration interface for expiration, code does not support expiration yet.!

@@ -249,9 +248,9 @@ if (!function_exists('ldap_connect')){ // Is php4-ldap really there?

ldap_expiration: ldap_expiration, ""); + $expiration['0'] = "No"; + $expiration['1'] = "LDAP"; + choose_from_menu($expiration, "ldap_expiration", $config->ldap_expiration, ""); if (isset($err["ldap_expiration"])) formerr($err["ldap_expiration"]); ?> diff --git a/auth/ldap/lib.php b/auth/ldap/lib.php index 737fb29e42..2f266a2ba0 100644 --- a/auth/ldap/lib.php +++ b/auth/ldap/lib.php @@ -257,6 +257,40 @@ function auth_get_users($filter='*') { return $fresult; } +function auth_password_expire($username) { +// returns number of days to password expiration +// 0 if passowrd does not expire +// or negative value if password is already expired + global $CFG ; + $result = false; + + $ldapconnection = auth_ldap_connect(); + $user_dn = auth_ldap_find_userdn($ldapconnection, $username); + $search_attribs = array($CFG->ldap_expireattr); + $sr = ldap_read($ldapconnection, $user_dn, 'objectclass=*', $search_attribs); + if ($sr) { + $info=ldap_get_entries($ldapconnection, $sr); + if ( empty($info[0][strtolower($CFG->ldap_expireattr)][0])) { + //error_log("ldap: no expiration value".$info[0][$CFG->ldap_expireattr]); + // no expiration attribute, password does not expire + $result = 0; + } else { + $now = time(); + $expiretime = auth_ldap_expirationtime2unix($info[0][strtolower($CFG->ldap_expireattr)][0]); + if ($expiretime > $now) { + $result = ceil(($expiretime - $now) / DAYSECS); + } else { + $result = floor(($expiretime - $now) / DAYSECS); + } + } + } else { + error_log("ldap: auth_password_expire did't find expiration time!."); + } + + //error_log("ldap: auth_password_expire user $user_dn expires in $result days!"); + return $result; +} + function auth_sync_users ($unsafe_optimizations = false, $bulk_insert_records = 1) { //Syncronizes userdb with ldap //This will add, rename @@ -545,7 +579,7 @@ function auth_ldap_init () { global $CFG; $default['ldap_objectclass'] = array( - 'edir' => 'inetOrgPerson', + 'edir' => 'User', 'posix' => 'posixAccount', 'samba' => 'sambaSamAccount', 'ad' => 'user', @@ -559,12 +593,28 @@ function auth_ldap_init () { 'default' => 'cn' ); $default['ldap_memberattribute'] = array( - 'edir' => 'groupMembership', + 'edir' => 'member', 'posix' => 'member', 'samba' => 'member', 'ad' => 'member', //is this right? 'default' => 'member' ); + $default['ldap_memberattribute_isdn'] = array( + 'edir' => '1', + 'posix' => '0', + 'samba' => '0', //is this right? + 'ad' => '0', //is this right? + 'default' => '0' + ); + $default['ldap_expireattr'] = array ( + 'edir' => 'passwordExpirationTime', + 'posix' => 'shadowExpire', + 'samba' => '', //No support yet + 'ad' => '', //No support yet + 'default' => '' + ); + + foreach ($default as $key => $value) { //set defaults if overriding fields not set @@ -572,7 +622,7 @@ function auth_ldap_init () { if (!empty($CFG->ldap_user_type) && !empty($default[$key][$CFG->ldap_user_type])) { $CFG->{$key} = $default[$key][$CFG->ldap_user_type]; }else { - //use defaut value if user_type not set + //use default value if user_type not set if(!empty($default[$key]['default'])){ $CFG->$key = $default[$key]['default']; }else { @@ -589,29 +639,63 @@ function auth_ldap_init () { //all chages go in $CFG , no need to return value } +function auth_ldap_expirationtime2unix ($time) { +// takes expriration timestamp readed from ldap +// returns it as unix seconds +// depends on $CFG->usertype variable + + global $CFG; + $result = false; + switch ($CFG->ldap_user_type) { + case 'edir': + $yr=substr($time,0,4); + $mo=substr($time,4,2); + $dt=substr($time,6,2); + $hr=substr($time,8,2); + $min=substr($time,10,2); + $sec=substr($time,12,2); + $result = mktime($hr,$min,$sec,$mo,dt,$yr); + break; + case 'posix': + $result = $time * DAYSECS ; //The shadowExpire contains the number of DAYS between 01/01/1970 and the actual expiration date + break; + default: + error('CFG->ldap_user_type not defined or function auth_ldap_expirationtime2unix does not support selected type!'); + } + return $result; +} + function auth_ldap_isgroupmember ($username='', $groupdns='') { // Takes username and groupdn(s) , separated by ; // Returns true if user is member of any given groups - global $CFG, $USER; - - + global $CFG ; + $result = false; + $ldapconnection = auth_ldap_connect(); + if (empty($username) OR empty($groupdns)) { - return false; + return $result; } + if ($CFG->ldap_memberattribute_isdn) { + $username=auth_ldap_find_userdn($ldapconnection, $username); + } + $groups = explode(";",$groupdns); - //build filter - $filter = "(& ($CFG->ldap_user_attribute=$username)(|"; foreach ($groups as $group){ - $filter .= "($CFG->ldap_memberattribute=$group)"; + $search = @ldap_read($ldapconnection, $group, '('.$CFG->ldap_memberattribute.'='.$username.')', array($CFG->ldap_memberattribute)); + if ($search) {$info = ldap_get_entries($ldapconnection, $search); + + if ($info['count'] > 0 ) { + // user is member of group + $result = true; + break; + } + } } - $filter .= "))"; - //search - $result = auth_ldap_get_userlist($filter); - return count($result); + return $result; } function auth_ldap_connect(){ diff --git a/lang/en/auth.php b/lang/en/auth.php index 3a9e429eed..5f76dcc7d5 100644 --- a/lang/en/auth.php +++ b/lang/en/auth.php @@ -77,6 +77,8 @@ $string['auth_nonedescription'] = 'Users can sign in and create valid accounts i $string['auth_nonetitle'] = 'No authentication'; $string['auth_pamdescription'] = 'This method uses PAM to access the native usernames on this server. You have to install PHP4 PAM Authentication in order to use this module.'; $string['auth_pamtitle'] = 'PAM (Pluggable Authentication Modules)'; +$string['auth_passwordwillexpire'] = 'Your password will expire in $a days. Do you want change your password now?'; +$string['auth_passwordisexpired'] = 'Your password is expired. Do you want change your password now?'; $string['auth_pop3description'] = 'This method uses a POP3 server to check whether a given username and password is valid.'; $string['auth_pop3host'] = 'The POP3 server address. Use the IP number, not DNS name.'; $string['auth_pop3mailbox'] = 'Name of the mailbox to attempt a connection with. (usually INBOX)'; diff --git a/login/index.php b/login/index.php index af8ed05085..5128ff1e1b 100644 --- a/login/index.php +++ b/login/index.php @@ -20,6 +20,27 @@ notify("Could not create guest user record !!!"); } } + + //Define variables used in page + if (!$site = get_site()) { + error("No site found!"); + } + + if (empty($CFG->langmenu)) { + $langmenu = ""; + } else { + $currlang = current_language(); + $langs = get_list_of_languages(); + if (empty($CFG->loginhttps)) { + $wwwroot = $CFG->wwwroot; + } else { + $wwwroot = str_replace('http','https',$CFG->wwwroot); + } + $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true); + } + + $loginsite = get_string("loginsite"); + $frm = false; if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,"username=guest")) or $loginguest) { @@ -69,13 +90,19 @@ unset($SESSION->lang); $SESSION->justloggedin = true; + //Select password change url + if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){ + $passwordchangeurl=$CFG->wwwroot.'/login/change_password.php'; + } elseif($CFG->changepassword) { + $passwordchangeurl=$CFG->changepassword; + } + + // check whether the user should be changing password reload_user_preferences(); if ($USER->preference['auth_forcepasswordchange']){ - if (is_internal_auth() || $CFG->{'auth_'.$USER->auth.'_stdchangepassword'}){ - redirect("$CFG->wwwroot/login/change_password.php"); - } elseif($CFG->changepassword) { - redirect($CFG->changepassword); + if (isset($passwordchangeurl)) { + redirect($passwordchangeurl); } else { error("You cannot proceed without changing your password. However there is no available page for changing it. @@ -83,16 +110,39 @@ } } + + if (user_not_fully_set_up($USER)) { - redirect("$CFG->wwwroot/user/edit.php?id=$USER->id&course=".SITEID); + $urltogo = $CFG->wwwroot.'/user/edit.php?id='.$USER->id.'&course='.SITEID; } else if (strpos($wantsurl, $CFG->wwwroot) === 0) { /// Matches site address - redirect($wantsurl); + $urltogo = $wantsurl; } else { - redirect("$CFG->wwwroot/"); /// Go to the standard home page + $urltogo = $CFG->wwwroot.'/'; /// Go to the standard home page } - + + // check if user password has expired + // Currently supported only for ldap-authentication module + if (isset($CFG->ldap_expiration) && $CFG->ldap_expiration == 1 ) { + if (function_exists('auth_password_expire')){ + $days2expire = auth_password_expire($USER->username); + if (intval($days2expire) > 0 && intval($days2expire) < intval($CFG->{$USER->auth.'_expiration_warning'})) { + print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "

$langmenu
"); + notice_yesno(get_string('auth_passwordwillexpire', 'auth', $days2expire), $passwordchangeurl, $urltogo); + print_footer(); + exit; + } elseif (intval($days2expire) < 0 ) { + print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "
$langmenu
"); + notice_yesno(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo); + print_footer(); + exit; + } + } + } + + redirect($urltogo); + reset_login_count(); die; @@ -128,25 +178,6 @@ $show_instructions = false; } - if (!$site = get_site()) { - error("No site found!"); - } - - if (empty($CFG->langmenu)) { - $langmenu = ""; - } else { - $currlang = current_language(); - $langs = get_list_of_languages(); - if (empty($CFG->loginhttps)) { - $wwwroot = $CFG->wwwroot; - } else { - $wwwroot = str_replace('http','https',$CFG->wwwroot); - } - $langmenu = popup_form ("$wwwroot/login/index.php?lang=", $langs, "chooselang", $currlang, "", "", "", true); - } - - $loginsite = get_string("loginsite"); - print_header("$site->fullname: $loginsite", "$site->fullname", $loginsite, $focus, "", true, "
$langmenu
"); include("index_form.html"); print_footer();